[SOLAR_FIELDS]

Is this normal? I’m only ancillary to security stuff like this but without details of the exploit it’s hard to say whether or not this is scandalous or not. It’s possible Apple made a mistake here, but is that a more likely scenario than the vuln just not being exploitable enough to warrant a bounty?

[kryptiskt]

It was notable enough to be mentioned in their release notes for iOS 17.5, https://support.apple.com/en-gb/HT214101. I think that if they have to patch it, it's serious enough to reward the researcher for it. Like, it's not charity, it's not a thank you, it's an investment in their own platform's security. By not paying out they are only hurting themselves.

[pdpi]

Bug bounties are a social solution to a social problem. In many ways, the actual money is less important than being seen to earnestly engage with the programme.

Being hard-nosed about refusing to pay a bounty on a privilege escalation bug is a rookie mistake. It engenders ill will and cements your relationship with security researchers as adversarial rather than cooperative.

[mdhb]

This is very much not normal and is absolutely a scandal.

[deanishe]

It's pretty normal for Apple, tbh.

They have a long history of refusing to pay bug bounties.

[mdhb]

One has to wonder how many of the exploits out there don’t end up making their way to Cupertino as a result and what the consequences of that will be.